locked
Change expired passwords on an RDS environment RRS feed

  • Question

  • Our company just set up a new Windows 2008R2 RDS environment (Gateway/Broker/Host all 2k8R2) and we ran into "cannot change expired or first login passwords" issue.

    We have 400+ users who run our app over remoteapp and our "old" environment was a straightforward remoteapp to a single server and changing expired passwords was allowed. Now, with the RDS Gateway in between the client and the host server, changing passwords is disabled.

    Is there an option, group policy setting or something that can be adjusted to allow password changing??

    I know about the RDWeb hot fix and i'm aware of the 3rd party solutions but i would like to know is there anything that can be done without those workarounds?

    Thank you very much.


    • Edited by Pu. Ivica Thursday, April 14, 2016 10:50 AM
    Thursday, April 14, 2016 10:49 AM

Answers

  • Ty for the suggestion. I did some research over the past few days and i found out that a case was indeed opened for this exact issue in 2012. and the case is still open. I somehow find it hard to believe that a function like this cannot be bypassed or turned off all together. As i heard and read, MS is actually, with this function, protecting us. I think they'd be better of protecting people from crypto viruses than disabling a function which 90% admin don't want disabled and was (and still is) available only if you don't use a RDS Gateway.
    • Proposed as answer by Jay Gu Tuesday, May 3, 2016 7:21 AM
    • Marked as answer by Pu. Ivica Tuesday, May 3, 2016 8:58 AM
    Monday, May 2, 2016 9:06 AM

All replies

  • Hi Pu,

    Based on my experience, you cannot change an expired password if the user is connecting through RD Gateway.  This means that if a new user is required to change password at first logon or if an existing user allows their password to expire then they must use a different method (RD Web password change page, OWA, domain workstation, etc.) to change their password.

    For more information, you could refer to the thread below.

    https://social.technet.microsoft.com/Forums/windowsserver/en-US/4d8e6094-928a-4571-9a4f-28a3f202644c/windows-server-2012-r2-rd-gateway-and-expired-passwords?forum=winserverTS

    For internal user, you could configure Bypass RD Gateway server for local addresses setting to bypass Gateway to achieve your goal.

    For detailed information, you could take a look the article below.

    Configure Remote Desktop Gateway Setting

    https://technet.microsoft.com/en-us/library/cc772479.aspx

    In addtion, here is a similar thread below to fix the problem by configuring IIS setting(but I have not tested for this) for your reference.

    https://social.technet.microsoft.com/Forums/en-US/536de5d9-044e-4520-9e1c-b3f66542e6cd/changing-password-when-connected-through-remote-desktop-gateway?forum=winserverTS

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Proposed as answer by Jay Gu Tuesday, April 26, 2016 1:14 AM
    Saturday, April 16, 2016 4:31 AM
  • Hi Jay,

    So, you are telling me there is nothing that can be done on the gateway that can change this?? I find that hard to believe. There has to be something. On the other side, it is not really conveniant telling users go there (RDWeb) and change your password and then run the rdp file and login with that new password. There is trouble teaching them to remember the passwords altogether.
    Monday, April 18, 2016 5:20 PM
  • Hi Pu,

    you are telling me there is nothing that can be done on the gateway that can change this??

    >>>To my knowledge, there is no way to achieve your goal besides RD Web password page, OWA, domain workstation, etc.

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, April 22, 2016 10:56 AM
  • Can someone from the Microsoft staff confirm with absolute certainty, that there is no way to change and expired password when connecting over a RDS Gateway, and that the only way to change it is before it expires or to change it over RDWeb or OWA.

    TY

    Tuesday, April 26, 2016 3:58 PM
  • Hi Pu,

    I suggest you open a case with Microsoft, more in-depth investigation can be done so that you would get a more satisfying explanation.

    Here is the link:

    https://support.microsoft.com/en-us/gp/support-options-for-business

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, April 27, 2016 7:15 AM
  • Ty for the suggestion. I did some research over the past few days and i found out that a case was indeed opened for this exact issue in 2012. and the case is still open. I somehow find it hard to believe that a function like this cannot be bypassed or turned off all together. As i heard and read, MS is actually, with this function, protecting us. I think they'd be better of protecting people from crypto viruses than disabling a function which 90% admin don't want disabled and was (and still is) available only if you don't use a RDS Gateway.
    • Proposed as answer by Jay Gu Tuesday, May 3, 2016 7:21 AM
    • Marked as answer by Pu. Ivica Tuesday, May 3, 2016 8:58 AM
    Monday, May 2, 2016 9:06 AM
  • Hi Pu,

    Thanks for your share.

    If the reply above has resolved your problem, please mark it as answer as it would be helpful to anyone who encounters similar issues.

    Thank you.

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, May 3, 2016 7:23 AM